Hi @cecheta ,

If you are testing this on author instance in local/staging environment, you can do below steps to test the request.

Go to http://localhost:4502/system/console/configMgr

Search for Apache Sling Referrer Filter

Check "Allow Empty"

Remove POST from Filter Methods

For Production environment, leave the default settings and test via dispatcher.

Please refer to this blog for more details How to make a simple HTTP POST request to AEM with a HTTP Rest Client, Postman - Sourced Code

Thank you for the replies,

@vanegi, @BrianKasingli Adding the path to the list of URLs that do not require authentication certainly worked, however it feels like a bit of a workaround. Is there no other way? What has changed in v6.4.8.1? Also I am not sure how I would add a request header from an HTML form.

@ChitraMadan I don't think this is related to the Apache Sling Referrer Filter, the host that makes the POST request has already been added to the Allowed Hosts. I also tried ticking Allow Empty and removing POST from the filter methods but still got the 403.

@kunal23 The granite.csrf.standalone clientlib has already been included on the page, but not inside the iframe. However, I am not sure this issue is related to the CSRF protection, as the servlet path has already been included in the Excluded Paths section of the Adobe Granite CSRF Filter config. I also tried removing POST from the filter methods but still got the 403.

Your help would be much appreciated, thank you.

@cecheta,

Try @vanegi's trick, "Allow anonymous", if that does not work, you can try to send a  request header:

Authorization Basic YWRtaW46YWRtaW4=

Hi @cecheta,

Have you tried checking the "Allow anonymous" in Apache Sling Authentication Service config?

Thanks!!